The WSF Data Protection Policy

Introduction

In order for the Williams Syndrome Foundation to function, it must keep and process personal information (some of which may be sensitive) about members, employees, trustees and members of our Professional Advisory Panel. We have therefore adopted this policy not only to meet our legal obligations but, in recognition of the vulnerability of our WS members, to ensure all of our memberships personal data is protected. When reviewing this document, the WSF has made amendments to comply with the General Data Protection Regulation which will come into effect on 25th May 2018. This policy will be reviewed annually.

Personal Data

All Personal Data given to the WSF will be used for the purposes outlined to members when they joined the WSF. This has been reclarified in the Member Consent Form issued to all members in April 2018 along with an update on the GDPR legislation. From 25th May 2018, the WSF will hold personal data for members who have paid their annual subscription fee (thereby are actively opting in to membership and thereby providing us with authorisation to hold their contact details) or members who have completed April 2018 Consent Form or (subsequent versions), all other personal data will be permanently deleted. The WSF will only keep and process personal information in accordance with submitted expressed preferences. These purposes are detailed below.Personal data collected and processed by the WSF may be used for the following purposes:

For members who have paid their subscription fee but not completed the April 2018 Consent Form

Administration of membership(s)

Confirming consents

For members who have completed the April 2018 consent form

Administration of membership(s)

Requests for assistance, registration for events and requests for resources and merchandise from members (if consent was provided)

Photographic images may be used in our publications and or website and social media subject to consent (if consent was provided).

In order to comply with regulations, the WSF will ensure that all personal data:

Is processed lawfully, fairly and transparently.

Is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.

Is adequate, relevant and limited i.e. only the minimum amount of data should be kept for specific processing.

Is accurate and where necessary kept up to date.

Is not be stored for longer than is necessary, and that storage is safe and secure.

Is processed in a manner that ensures appropriate security and protection.

Processing and Accessing Personal Data

Personal data collected and processed by the WSF may be shared with the following groups where necessary:

WSF employees

WSF trustees (when trustees are working alongside employees as a voluntary resource, or where members request requires trustee consideration)

WSF professionals (PAP) and researchers only with express permission.

When the WSF allows access to personal data, only essential data will be shared. When this is outside of staff and officers, the WSF will specify how the data can be used and require the permanent deletion of all personal data upon completion of the process.

Retention

The WSF has a duty to only hold personal information as long as is necessary for the purpose of your membership:

Membership ceased following member communication – deleted within 30 days

Membership ceased as following lapsed renewal – deleted within 90 days

The Foundation may keep non-personal data following database removal for statistical purposes i.e. Sex/ year of birth/county.

Consent

A membership requirement is the completion of a consent form allowing for the retention and processing of personal data. All members can change their consent at any time in writing. All changes will be made within 30 days.

Member Access to personal data held by the WSF

All members have the right to request, in writing, for a copy of the information we have on record about them. A copy will be sent as soon as possible and no later than 30 days after the request.

All members have the right to request to be forgotten. All personal data will then be permanently deleted as soon as possible and no later than 30 days after the request.

Accuracy of Personal Data

The WSF has a duty to ensure that all of its personal data is accurate and up-to-date. Members have been advised to inform the WSF of any changes in their personal information by email or letter. All changes will be made within 30 days.

Data Security

The WSF has a duty to ensure that all data is stored securely. All access to members Personal Data is limited to WSF computers and storage drives. All devices are password protected and have malware security. The WSF Database is password protected and encrypted. The WSF will not hold any member personal information on cloud storage (unless it is within the EU). Emails and website operate on servers within the EU and are secure.

Regional Contacts

The WSF has a network of Regional Contacts (RCs), DBS checked volunteers, who are available for local help and advice and may organise local events. Members may contact their Regional Contacts RCs) for advice or to access local events. RCs will complete a GDPR compliance form upon appointment agreeing to permanently delete member emails within 30 days. RCs & former RCs have been requested to delete any member data the hold prior to the GDPR becoming legislation.

Professional Research

The WSF provides funding to continue medical, behavioural and educational research into Williams Syndrome. If consent has been provided, University researchers may contact members for the purposes of research. Each research project has specific consent forms that participants will need to complete and, all research proposals have been screened by ethics committees before being presented to the Professional Advisory Panel (PAP). The PAP only approves proposals that will ultimately benefit members of the WSF by increasing our knowledge of WS and associated behaviours and outcomes. The WSF will require that safeguarding measures are in place for children and WS individuals when the research is conducted in person.

Data Breaches

A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. The WSF will investigate any data breach within 24 hours of discovery, notifying all trustees that a breach has occurred and following the procedure outlined in the WSF Data Breach Procedure. The severity of the breach will be assessed and in the event of a major breach involving significant details of WS individuals, the police and the ICO would be informed alongside the individuals affected.

Disclosure Information

The WSF will as necessary undertake checks on staff, trustees, PAP members and Regional Volunteers with the Disclosure and Barring Service and will comply with their Code of Conduct relating to the secure storage, handling, use, retention and disposal of Disclosures and Disclosure Information.